Category Archives: News

Article note: Have to agree. This was reliable mid-tier brands responding to the incentive structure, and reeks of Amazon making sure they couldn't become independently recognized enough to be independently viable.

Article note: Interesting. I'm still of the opinion that the only compelling reason to put up with an RHEL-like is because some tool is brittle and demands to run on RHEL X.Y, and Stream doesn't fulfill that need for users. I admire Greg's optimism that it might be a way into RH's cabal-driven-development scheme, but I find it less likely that an injection point between Fedora and RHEL represents much of an opportunity for input.

Article note: We need more of this kind of thing in at least CompE curricula, and I'd assert CS curricula as well even though it would make the theoreticians cry. I always inject some history when I can and get a chorus of "Oh, that makes sense now"s. Talking about the history of things is talking about the how and why of current practices. Exposing students to that would go a long way to damp both hanging on to bad assumptions (hint: modern performance analysis has little to do with operation counts and a lot to do with memory access patterns) and design fads that have been oscillating between extremes for 60 years.

Article note: Fack. Precautions reducing faster than vaccination rate because of the large retard-American population.

Article note: The "cybersecurity" landscape at the moment is really pretty ghastly. It's been a while since Microsoft shit the bed this hard. Now all we need is a worm that uses the RCE with a ransomware payload to bring "old computer suck" and "modern computer suck" together.

Enlarge (credit: Getty Images)

An emergency patch Microsoft issued on Tuesday fails to fully fix a critical security vulnerability in all supported versions of Windows that allows attackers to take control of infected systems and run code of their choice, researchers said.

The threat, colloquially known as PrintNightmare, stems from bugs in the Windows print spooler, which provides printing functionality inside local networks. Proof-of-concept exploit code was publicly released and then pulled back, but not before others had copied it. Researchers track the vulnerability as CVE-2021-34527.

A big deal

Attackers can exploit it remotely when print capabilities are exposed to the Internet. Attackers can also use it to escalate system privileges once they’ve used a different vulnerability to gain a toe-hold inside of a vulnerable network. In either case, the adversaries can then gain control of the domain controller, which as the server that authenticates local users, is one of the most security-sensitive assets on any Windows network.

Article note: These are always fun. Getting to a state where you can use the microcode read/write instructions they found is clearly tricky, but I could see an escalation paths with a CSME exploit to get into the appropriate debug mode, or side effects from speculatively executing (because of course it speculatively executes them) the special instructions to leak data from the security by complexity bullshit on the processors or the like. There _are_ apparently some machine-readable unique identifiers in the parts they studied which is itself interesting/concerning.

Article note: Passwords win because they are _disposable_. I don't _want_ to give random internet hustler #83445 more information about or access to me for them to misuse or to be leaked in their next breach. I don't want to give a phone number that will be used for marketing purposes after they get bought out, install an intrusive app on my phone, hand over biometric data that they'll totally hash properly like they fail to do passwords, let randos leave tracking residue on my machine, or accrue a pile of expensive variously-incompatible physical tokens to manage.

Not exactly a 25-character, randomized string of numbers, letters, cases, and symbols. (credit: Dan Goodin)

There are certain sci-fi promises the future is supposed to hold: jetpacks, flying cars, a Mars colony. But there are also some seemingly more attainable goals that somehow also always feel just on the horizon. And one of the most tantalizing is the end of passwords. The good news is that the infrastructure—across all the major operating systems and browsers—is largely in place to support passwordless login. The less-good news? You're still plugging passwords into multiple sites and services every day, and you will be for a while.

There's no doubt that passwords are an absolute security nightmare. Creating and managing them is annoying, so people often reuse them or choose easily guessable logins—or both. Hackers are more than happy to take advantage. By contrast, passwordless logins authenticate with attributes that are innate and harder to steal, like biometrics. No one's going to guess your thumbprint.

You likely already use some version of this when you unlock your phone, say, with a scan of your face or your finger rather than a passcode. Those mechanisms work locally on your phone and don't require that companies store a big trove of user passwords—or your sensitive biometric details—on a server to check logins. You can also now use stand-alone physical tokens in certain cases to log in wirelessly and without a password. The idea is that, eventually, you'll be able to do that for pretty much everything.

Article note: ...The drama dragged on for so long the requirements are no longer what is needed.

Article note: ...That's uncanny. And hilarious.